xekon Posted February 16, 2013 Share Posted February 16, 2013 (edited) I have been developing a php web site. I have been trying to follow suggested best practices. I am running ubuntu minimalist install, and installed the following packages: nginx php5 php5-fpm postgresql phppgadmin php5-gd I have nginx up and running instead of apache.I have done some basic configuration for nginx.got my vhost setup and linked. and I am now able to browse my php pages on my local test machine running ubuntu. I have created my postgre database, and have a user setup. So I am to the point that I wanted to create a page to register/login/change password. I searched and found http://stackoverflow...asswords-safely it was posted back in 2010, it links to this guide using phpass: http://www.openwall....Users-Passwords The guide/tutorial was created using Mysql, I have been swapping out functions to their equivalent postgresql functions using the postgresql documentation. I modified the guide to the point that I can create new users in my postgre database. When I got to the point "How to authenticate existing users" I hit a snag. mysql version from guide: } else { $hash = '*'; // In case the user is not found($stmt = $db->prepare('select pass from users where user=?'))|| fail('MySQL prepare', $db->error);$stmt->bind_param('s', $user)|| fail('MySQL bind_param', $db->error);$stmt->execute()|| fail('MySQL execute', $db->error);$stmt->bind_result($hash)|| fail('MySQL bind_result', $db->error);if (!$stmt->fetch() && $db->errno)fail('MySQL fetch', $db->error); if ($hasher->CheckPassword($pass, $hash)) {$what = 'Authentication succeeded';} else {$what = 'Authentication failed';}unset($hasher);} my version: } else { $hash = '*'; // In case the user is not foundpg_prepare($dbconn, "quser", 'SELECT pass FROM users WHERE pk_users=$1') or fail('pg_prepare failed ',pg_last_error($dbconn));$hashx = pg_execute($dbconn, "quser", array($user)) or fail('pg_execute failed ',pg_last_error($dbconn));$hash = pg_fetch_result($hashx, 1, 'pass'); if (!$hash && pg_last_error($dbconn))fail('pg_execute failed.2 ',pg_last_error($dbconn)); if ($hasher->CheckPassword($pass, $hash)) {$what = 'Authentication succeeded';} else {$what = 'Authentication failed';$op = 'fail'; // Definitely not 'change'} I think it has to do with bind_result($hash) I used $hashx = pg_execute() I assumed it would take the results of pg_execute() and store it in the $hashx variable, and I thought that was what bind_result($hash) was doing in the mysql example. here is the error from the server logs: 2013/02/15 19:01:12 [error] 16860#0: *1 FastCGI sent in stderr: "PHP message: PHP Warning: pg_fetch_result(): Unable to jump to row 1 on PostgreSQL result index 5 in ..../testing.com/public/inc/user-man.php on line 91" while reading response header from upstream, client: 192.168.1.150, server: testing.com, request: "POST /inc/user-man.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "testing.com", referrer: "http://testing.com/inc/user-man.html" Also if anyone has any input weather or not this is still best practice for user registration/password security, please let me know. In addition to having a good user/password system I know that I am going to need to recheck my configuration for both nginx and postgresql to make sure everthing is locked down and secure, as well as user permissions, I have not looked for any info/guides on any of this yet. Thanks so much for any responses, I appreciate it. Edited February 16, 2013 by xekon Link to comment Share on other sites More sharing options...
xekon Posted February 16, 2013 Author Share Posted February 16, 2013 (edited) DOH! I figured out the problem. The php manual example shows using the first row as the result, once I changed the row to 0 it worked. So it must start at row 0 for results, not row 1 http://www.php.net/m...etch-result.php I am still very curious to know if there are any security concerns using this method/guide/tutorial. so for anyone that is curious here is the tutorial I followed: http://www.openwall....Users-Passwords on that page there is a archive with all of the example documents, I used the files from "demo4" folder, which is just before "How to enforce a password policy"I was having an issue getting that to work, and I am thinking some simple regex matching might be enough to enforce the password policy. For anyone that wants the complete edits to the file "user-man.php" for postgresql: http://pastebin.com/nb5YiBAX The authentication of this guide just checks if the supplied password is correct, now I need to read up on how to handle creating a session, so they stay logged in between pages and what not. Edited February 16, 2013 by xekon Link to comment Share on other sites More sharing options...
rootKID Posted February 18, 2013 Share Posted February 18, 2013 hmm... not sure if there is any trouble, but when i am creating passes with users and such, i useally run MD5 protection over the pass as a start, and after that, a SHA1 over it, just to make sure the security is fine before sending it into the user database. but as far as i can read (not the biggest PHP understander yet, so if anyone see me i got it wrong, please correct), then it seems fine to me... Link to comment Share on other sites More sharing options...
xekon Posted February 18, 2013 Author Share Posted February 18, 2013 phpass uses Salt + stretch, and the default is blowfish, which is preferred over md5 by most. Link to comment Share on other sites More sharing options...
birbal Posted February 18, 2013 Share Posted February 18, 2013 MD5 and SHA1 both is not secure anymore. SHA512 SHA256 from SHA2 family, Blowfish(as already stated), Whirlpool etc is preferred way. . PHPass is good. but there is also native function http://php.net/hash for using different algorithm. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now